Hackers Compromise Popular Axios JavaScript Library with Hidden Malware

Attackers hijacked a maintainer's account to distribute a remote access trojan through the widely used HTTP client library

Mar. 31, 2026 at 3:25pm

Got story updates? Submit your updates here. ›

A highly detailed 3D illustration of glowing, neon-lit cybersecurity infrastructure and hardware components, representing the complex web of software dependencies and the threat of supply chain attacks. The image conveys the gravity and technical sophistication of the Axios compromise through vibrant cyan and magenta lights illuminating the intricate digital landscape.The Axios JavaScript library compromise exposes the growing threat of supply chain attacks targeting critical software dependencies.NYC Today

Hackers have compromised the popular Axios JavaScript library, a widely used HTTP client, by exploiting a hijacked account on the npm package manager. The attack installed a remote access trojan (RAT) that could take control of Windows, macOS, and Linux systems. The malicious code was carefully staged and designed to self-destruct, making it difficult to detect. Axios is used in a variety of front-end and back-end applications, putting many developers and their projects at risk.

Why it matters

This supply chain attack on a widely used JavaScript library highlights the growing threat of compromised software dependencies. Attackers are increasingly targeting less secure third-party vendors and software components to gain access to a large number of systems, rather than trying to breach well-defended targets directly. The Axios compromise could have far-reaching consequences, as the library is ubiquitous in web development.

The details

Attackers exploited a hijacked account on the npm package manager to distribute the malware through two compromised Axios packages. The malicious code installed a remote access trojan that could take control of Windows, macOS, and Linux systems. The attack was carefully planned, with the malicious dependencies staged 18 hours in advance and three payloads pre-built for different operating systems. The attackers were able to bypass security checks on GitHub by swapping the email attached to the library with an anonymous Proton Mail address under their control.

  • On March 30, attackers began their attack on the Axios library.
  • The malicious dependencies were staged 18 hours in advance of the attack.
  • The two compromised Axios packages were released within 39 minutes of each other.

The players

Axios

A popular JavaScript HTTP client library used by developers in a variety of front-end and back-end applications.

npm

The default package manager for Node.js, a tool that allows developers to share, install, and manage JavaScript project code.

Step Security Inc.

A security research firm that discovered the Axios compromise and provided details on the attack.

Ashish Kurmi

The co-founder and Chief Technology Officer of Step Security Inc.

John Hammond

The Senior Principal Security Researcher at Huntress Labs Inc.

Got photos? Submit your photos here. ›

What they’re saying

“This was not opportunistic. It was precision. The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct.”

— Ashish Kurmi, Co-founder and Chief Technology Officer, Step Security Inc.

“There are zero lines of malicious code inside Axios itself, and that's exactly what makes this attack so dangerous.”

— Ashish Kurmi, Co-founder and Chief Technology Officer, Step Security Inc.

“Any environment that installed axios@1.14.1 or axios@0.30.4 should be treated as compromised. Organizations must immediately audit their dependencies, downgrade to verified safe versions, rotate all credentials accessible during installation and scan for malware artifacts specific to each operating system.”

— John Hammond, Senior Principal Security Researcher, Huntress Labs Inc.

What’s next

Security professionals are urging developers to take swift action to check and update their current versions of the Axios library, and to handle any security issues if they have been compromised.

The takeaway

The Axios compromise highlights the growing threat of supply chain attacks, where attackers target less secure third-party software components to gain access to a large number of systems. This incident underscores the importance of maintaining vigilance over software dependencies and implementing robust security measures to protect against such insidious attacks.